Attack campaign compromises 300,000 home routers, alters DNS settings

Note from Fred: Make sure you keep your home router current with the most recent patches. Also, make sure you have changed the default password.

IDG News Service – A group of attackers managed to compromise 300,000 home and small-office wireless routers, altering their settings to use rogue DNS servers, according to Internet security research organization Team Cymru.

In January, Team Cymru’s researchers identified two TP-Link wireless routers whose settings were altered to send DNS (Domain Name System) requests to two particular IP addresses: 5.45.75.11 and 5.45.76.36. An analysis of the rogue DNS servers running at those IP addresses revealed a mass-scale compromise of consumer networking devices.

Over a one-week period, more than 300,000 unique IP addresses sent DNS requests to the two servers, the Team Cymru researchers said in a report released Monday. Many of those IP addresses corresponded to a range of routers, including models from D-Link, Micronet, Tenda, TP-Link and other manufacturers, that had their DNS settings maliciously altered, they said.

The researchers believe those devices were compromised using different techniques that exploit several known vulnerabilities. Many of the affected devices had their administrative interfaces accessible from the Internet, making them susceptible to brute-force password-guessing attacks or unauthorized access using default credentials, if their owners didn’t change them, the researchers said. (Read More)